On May 8, 2025, at 2:31 PM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
Recently, we migrated some of our RADIUS proxy servers from RADIUS (UDP) to RadSec (TCP) and I would like to still be able to monitor the upstream proxy servers.
When we were still using RADIUS (UDP), I was able to send a status-server RADIUS message to the upstream server directly, like this and report that back to PRTG (our monitoring tool):
echo 'Message-Authenticator = 0x00' | radclient -x 1.2.3.4 status secret
Now I would like to achieve something similar, after we migrated the proxy server 1.2.3.4 to TLS only.
It's a little more complex, but it shouldn't be hard.
My initial try was to setup something like this:
1. start a local socat listener on port UDP/11812 and tunnel it to
socat -v OPENSSL:1.2.3.4:2083,cert=/etc/freeradius/certs/radsec.pem,key=/etc/freeradius/certs/radsec.key,cafile=/etc/freeradius/certs/edupki-root-ca-cert.pem,verify=0 UDP-RECV:11812
2. send a standard RADIUS (UDP) status-server packet to the localhost port UDP/11812:
echo 'Message-Authenticator = 0x00' | radclient -x localhost:11812 status radsec -t 1
That should be fine.
3. unfortunately, this isn’t straight forward:
You’re trying to receive UDP packets on port 11812 and send them via TLS/TCP using socat. That conceptually makes sense — it’s what RADIUS-over-TLS (RadSec) does — but unfortunately, RADIUS over TLS is not just “UDP in TLS over TCP”. RadSec uses a specific framing: each RADIUS packet must be prefixed with a 2-byte length field when encapsulated over TCP/TLS (per RFC 6614).
Uh, what? No. They're just RADIUS packets over TLS. There is no 2 byte length prefix.
Does anybody have an idea, how to implement a simple RadSec / TLS status-server test, maybe with a „workaround“ or a detour over the FreeRADIUS configuration?
socat might work. Did you try it? If so, what happened? Or, set up a local RADIUS proxy which accepts UDP, and sends packets over TLS to the remote server. But this doesn't really tell you a lot. If your proxy is sending packets to the remote server, just check the stats and logs on your local proxy. It will complain if the remote server is down. Alan DeKok.